EP1695485B1 - Method for automatically classifying a set of alarms emitted by sensors for detecting intrusions of a information security system - Google Patents

Abstract

The process involves organizing attributes of each attribute domain into a hierarchical structure comprising several levels. A lattice is constructed for each alarm originated from intrusion sensing probes (11a-11c) according to the structure. The lattices are iteratively merged to form a general lattice. Alarms that are pertinent and general are identified to produce synthetic alarms for an output unit of an alarm management system. An independent claim is also included for a computer program implementing a process for classifying alarm sets.

Description

Background of the invention

The invention relates to a method for automatic classification of a set of alerts from intrusion detection probes.

Information systems security requires the deployment of IDS intrusion detection systems with intrusion detection probes that issue alerts to alert management systems.

Indeed, intrusion detection probes are active components of the intrusion detection system that analyze one or more data sources looking for events that are characteristic of intrusive activity and issue alerts to management systems. alert. An alert management system centralizes the alerts from the probes and possibly performs an analysis of all these alerts.

Intrusion detection probes generate a very large number of alerts that can include several thousand per day depending on configurations and the environment.

Excess alerts can result from a combination of several phenomena. First, false alerts account for up to 90% of the total number of alerts. Then the alerts are often too granular, that is to say that their semantic content is very poor. Finally, alerts are often redundant and recurrent.

The upstream processing of alerts at the level of the management system is therefore necessary to facilitate the analysis work of a security operator. This treatment consists in correlating the alerts, it's up to say to reduce the overall amount of alerts, while improving their semantics. This can be done by unsupervised classification of alerts.

The purpose of the unsupervised classification is to split the alert space into several classes taking into account the variables that characterize them.

In this field of application, the alerts that are the subject of the classification are described by essentially qualitative and structured variables.

Qualitative and structured variables are variables belonging to discrete domains each of which is provided with a partial order.

Classification methods for structured qualitative variables are called conceptual classifications.

A conceptual classification method is proposed by R.S. Michalsky and R.E. Stepp, in a publication entitled "Learning from Observation: Conceptual Clustering", in the journal "In Machine Learning: An, Artificial Intelligence Approach", published in 1993.

This method constructs a conceptual hierarchy from a set of data downwards, by determining a partition of a complete set of data into several disjoint classes.

The approach used in this method of Michalsky is therefore unsuited to the classification of alerts, since it partitions all the data and is unable to integrate new data without having to be reset.

Indeed, the databases of alerts are highly dynamic because there can be several new alerts per second.

Another conceptual classification method is proposed by DH Fisher, in a publication of a doctoral thesis entitled "Knowledge Acquisition via Incremental Conceptual Clustering", Department of Information and Computer Science, University of California, 1987.

Fisher's method is an incremental conceptual classification, which does not require prior knowledge of the number of classes desired. On the other hand, this method is used for nominal variables.

Other methods derived from the Fisher method support structured data. The structure of the hierarchy obtained by these methods is strongly dependent on the order of insertion of the data. In addition, Fisher's approach produces a partition of all data.

Moreover, Manganaris et al, in a publication at the 2nd International Workshop on Recent Advances in Intrusion Detection 1999, entitled "A Data Mining Analysis of RTID Alarms", propose to model a tolerated behavior of an information system to the help alerts provided by intrusion detection tools. The use of "IDS" intrusion detection systems in an operational environment shows that the less frequent alerts are generally the most suspicious.

According to this model, recurring alerts are considered to be either false alerts due to the normal behavior of information system entities, but which seems intrusive from the point of view of IDS systems, that is entity failures.

Another method of alert classification is proposed by K. Julisch, in a publication of "Proceedings of the 17th ACSAC" in 2001, entitled "Mining Alarm Clusters to Improve Alarm Handling Efficiency". This method proposes a generalization of alerts to highlight groups of alerts more relevant than each alert taken individually.

The method used by Julisch is a modification of another known method proposed by Han et al, published in "Advances in Knowledge Discovery and Data Mining, AAAI Press" in 1996 under the title "Exploration of the Power of Attribute-Oriented Induction". Data mining ". / Mit Press, 1996.

Briefly, the method used by Han consists in generalizing structured variables. The domain of each variable has a partial order represented by a tree hierarchy, whose level of abstraction or generalization is increasing from the leaves to the top of the hierarchy.

Hall's method is iterative. Each iteration consists of choosing an attribute and generalizing the value of the attribute of each individual, according to the hierarchy associated with it. Variables that become equal after a generalization are merged. The overall number of variables therefore decreases with each iteration. The process stops when the number of variables falls below a given threshold.

This stopping criterion is not satisfactory because one can not know a priori how many groups of alerts it is desirable to present to the security operator. In addition, the generalized alerts obtained may be over-generalized and their interest limited. The difficulty of the approach is therefore to find a good compromise between a significant reduction in the number of alerts and the maintenance of their relevance.

So, the change made by Julisch consists of removing from the set of alerts submitted to the generalization process any generalized alert whose number of underlying alert instances exceeds a given threshold.

In order to avoid the over-generalization phenomenon, the generalization performed on the remaining generalized alerts is canceled, and the process is reiterated with another attribute.

The disadvantage of this method is that it does not identify relevant generalizations that might have occurred if the alerts provided to the security operator had been retained for the following generalizations. In addition, the nature of the generalized alerts obtained depends on the order of attributes that is based on heuristics.

Finally, the Julisch method is not incremental and the generalization process must be reset each time the security operator requests.

EP-A-0985995 (IBM), March 15, 2000, discloses the preamble of claim 1.

Object and summary of the invention

The aim of the invention is to overcome these drawbacks, and to provide a simple method of unsupervised classification of alerts from intrusion detection probes to generate the most general and relevant synthetic alerts presenting a global vision of the set of alerts and fully automatically.

• organiser les attributs appartenant à chaque domaine d'attribut en une structure hiérarchique comportant plusieurs niveaux définis selon la relation d'ordre partiel du domaine d'attribut, la pluralité de domaines d'attributs formant ainsi plusieurs structures hiérarchiques ;
• construire pour chaque alerte issue des sondes de détection d'intrusions, un treillis propre à cette alerte en généralisant chaque alerte selon chacun de ses attributs et à tous les niveaux de la structure hiérarchique, le treillis propre comportant des noeuds correspondant à des alertes, liés entre eux par des arcs de sorte que chaque noeud est lié à un ou des noeuds parents et/ou un ou des noeuds enfants ou descendants ;
• fusionner de façon itérative dans un treillis général, chacun des treillis propres ;
• identifier dans le treillis général, les alertes synthétiques en sélectionnant les alertes qui sont à la fois les plus pertinentes et les plus générales selon des critères statistiques et selon l'appartenance de leurs attributs à des niveaux inférieurs des structures hiérarchiques; et
• produire les alertes synthétiques à une unité de sortie d'un système de gestion d'alertes afin de présenter une vision globale de l'ensemble des alertes issues des sondes de détection d'intrusions.

These goals are achieved through a method of automatically classifying a set of alerts from intrusion detection probes of an information security system to produce synthetic alerts, each alert being defined by a plurality of alerts. qualitative attributes belonging to a plurality of attribute domains each of which is provided with a partial order relationship, characterized in that it comprises the following steps:

• arranging the attributes belonging to each attribute domain into a hierarchical structure having a plurality of levels defined according to the partial order relationship of the attribute domain, the plurality of attribute domains thereby forming a plurality of hierarchical structures;
• construct for each alert issued by the intrusion detection probes, a lattice specific to this alert by generalizing each alert according to each of its attributes and at all levels of the hierarchical structure, the trellis own node having nodes corresponding to alerts, interconnected by arcs so that each node is linked to one or more parent nodes and / or one or more child nodes or descendants;
• iteratively merge into a general lattice, each of the lattices clean;
• identify synthetic warnings in the general lattice by selecting the alerts that are both the most relevant and the most general according to statistical criteria and according to the membership of their attributes at lower levels of the hierarchical structures; and
• produce synthetic alerts to an output unit of an alert management system in order to present a global view of all alerts from intrusion detection probes.

Thus, the method according to the invention is an incremental method and provides potentially non-disjoint alert classes.

• récupérer pour tout attribut généralisable d'une alerte donnée, la valeur généralisée de cet attribut à partir de sa structure hiérarchique pour former une nouvelle alerte plus générale que ladite alerte donnée;
• ajouter un nouveau noeud au treillis propre correspondant à la nouvelle alerte et ajouter un arc allant du nouveau noeud de la nouvelle alerte au noeud de l'alerte donnée ;
• ajouter des arcs manquants allant des noeuds parents de l'alerte donnée, issus de la généralisation de l'alerte donnée selon ses autres attributs, au noeud de la nouvelle alerte.

According to a first aspect of the invention, the construction of a clean lattice comprises the following steps:

• retrieve for any generalizable attribute of a given alert, the generalized value of this attribute from its hierarchical structure to form a new alert more general than said given alert;
• add a new node to the clean mesh corresponding to the new alert and add an arc from the new node of the new alert to the node of the given alert;
• add missing arcs from parent nodes of the given alert, resulting from the generalization of the alert given according to its other attributes, to the node of the new alert.

• sélectionner un premier noeud correspondant à une première alerte appartenant au treillis propre donné, et un second noeud correspondant à une seconde alerte appartenant au treillis général ;
• supprimer tous les arcs provenant des noeuds parents d'un noeud enfant du premier noeud si ledit noeud enfant appartient aussi au treillis général,
• ajouter au treillis général ledit noeud enfant et l'ensemble de ses descendants si ledit noeud enfant n'appartient pas au treillis général.

According to a second aspect of the invention, the fusion of a given clean lattice in the general lattice comprises the following steps:

• selecting a first node corresponding to a first alert belonging to the given clean lattice, and a second node corresponding to a second alert belonging to the general lattice;
• delete all the arcs from the parent nodes of a child node of the first node if the child node also belongs to the general lattice,
• add to the general lattice said child node and all of its descendants if said child node does not belong to the general lattice.

According to a third aspect of the invention, a relevant alert is identified when each of the sets of child nodes of the relevant alert resulting from a specialization of this alert according to each of its attribute domains is homogeneous, and when the number of elements comprising said each set of child nodes of the relevant alert is greater than a threshold value.

Advantageously, the synthetic alerts are associated with different groups of alerts from the probes so that these groups are not necessarily mutually exclusive.

The plurality of attribute domains may include domains from the following sets: set of attack identifiers, set of attack sources, set of attack targets, and set of attack dates.

The invention is also directed to a computer program designed to implement the above method, when executed by the alert management system.

Brief description of the drawings

• la figure 1 est une vue très schématique d'un système de sécurité d'information comportant un système de gestion d'alertes selon l'invention ;
• la figure 2 est un organigramme de formation d'un treillis propre selon l'invention ;
• la figure 2A montre très schématiquement le mécanisme de la figure 2 ;
• la figure 3 est un organigramme de fusion d'un treillis propre dans un treillis général selon l'invention ;
• les figures 3A et 3B montrent très schématiquement le mécanisme de la figure 3 ;
• la figure 4 est un organigramme de sélection des alertes synthétiques selon l'invention ;
• la figure 5 montre de façon très schématique une alerte associée à différentes alertes synthétiques selon l'invention ;
• les figures 6A à 6C montrent très schématiquement des hiérarchies simplifiées associées aux différents domaines d'attributs des alertes selon l'invention ; et
• la figure 7 illustre un treillis général associé à deux alertes généralisées selon les hiérarchies des figures 6A à 6C.

Other features and advantages of the invention will appear on reading the description given below, by way of indication but not limitation, with reference to the accompanying drawings, in which:

• FIG. 1 is a very schematic view of an information security system comprising an alert management system according to the invention;
• Figure 2 is a flow chart for forming a clean mesh according to the invention;
• Figure 2A shows very schematically the mechanism of Figure 2;
• FIG. 3 is a flow diagram of the fusion of a clean lattice in a general lattice according to the invention;
• FIGS. 3A and 3B show very schematically the mechanism of FIG. 3;
• FIG. 4 is a selection flow chart of the synthetic alerts according to the invention;
• FIG. 5 very schematically shows an alert associated with different synthetic alerts according to the invention;
• FIGS. 6A to 6C show very schematically simplified hierarchies associated with the various attribute domains of the alerts according to the invention; and
• FIG. 7 illustrates a general lattice associated with two generalized alerts according to the hierarchies of FIGS. 6A to 6C.

Detailed description of embodiments

FIG. 1 illustrates an example of an intrusion detection system 1 connected through a router 3 to an external network 5 and to an internal network 7a and 7b with a distributed architecture.

The intrusion detection system 1 comprises several intrusion detection probes 11a, 11b, 11c, and an alert management system 13. Thus, a first intrusion detection probe 11a monitors the alerts coming from the intrusion detection system 11. outside, a second probe 11b monitors a part of the internal network 7a comprising work 15 and a third probe 11c monitors another part of the internal network 7b including servers 17 delivering information to the external network 5.

The alert management system 13 may comprise a host 19 dedicated to the processing of alerts, a database 21, and an output unit 23.

Thus, the probes 11a, 11b, 11c deployed in the intrusion detection system 1 send (arrows 26) their alerts 25 to the alert management system 13. The latter, in accordance with the invention, proceeds to an automatic classification. of this set of alerts and sends synthetic alerts to the output unit 23 to present a global view of all alerts from the intrusion detection probes 11a, 11b, 11c.

Indeed, the host 19 of the warning management system 13 includes processing means for automatically sorting the alerts and storing this classification in the form of trellises in the database 21.

Thus, a computer program designed to implement the present invention can be executed by the alert management system.

Alerts and in a general way, the data that can be the object of a conceptual classification are n-tuples of attributes (a ₁ , ... a _i , ..., a _n ) ∈ A ₁ × ··· × Ai × ··· × a _n, Ai being a discrete set with a partial order relation ≺ _Ai defining the attribute field _i.

The partially ordered sets can be represented by a Hasse diagram, ie by a directed acyclic graph or a hierarchical structure G = ( A _i , cov er (≺ _Ai )) whose set of nodes consists of the elements of Ai and the set of arcs is constituted by the cover of the relation of partial order.

In the present embodiment, we restrict the attribute hierarchies to balanced trees: each attribute value has at most one parent, and the distance of the leaves at the top of the tree is a constant. However, the present invention can easily be adapted to more elaborate hierarchies.

A hierarchical structure can be considered as a tree structure where the ancestor of an element b is an element a such that b ≺ _Ai a. In this case we say that the element a is more abstract or more general than the element b, and conversely, we say that the element b is more specific than the element a.

In particular, the element a is a direct ancestor of b if ( a, b ) ∈ cov er ( ≺ _Ai ) , that is, if there is not an intermediate element g between the elements a and b, or formally if b ≺ _Ai a and (∄ g / ( g ≺ _Ai a and b ≺ _Ai g )) .

The most specific elements of an attribute domain Ai, forming a hierarchical structure, define what are called the leaves of this hierarchical structure. Thus, a sheet f is an element f ∈ Ai such that ∄ g ∈ A _i such that g ≺ _Ai f .

Each attribute has a level of abstraction or generalization, defined by an integer corresponding to the height of the attribute in the hierarchical structure. Level 0 is assigned to the root of the hierarchy, that is, to the most general set of elements. The level of abstraction or generalization of any element is worth the level of abstraction of its direct ancestor increased by the value 1.

Thus, each alert can be defined by a plurality of qualitative attributes ( a ₁ , ... a _i , ... a _n ) belonging to a plurality of attribute domains ( A 1 , ..., A 1 ,. ..An ) each of which has a partial order relationship.

The attributes belonging to each attribute domain Ai can therefore be organized into a hierarchical structure comprising several levels defined according to the partial order relation of the attribute domain. Then, the plurality of attribute domains ( A 1 , ..., Ai, ... An ) form several hierarchical structures.

Generally, we will speak of "concept" to designate any element of A 1 × ... × An. In addition, the non-generalized concepts, that is to say the concepts whose attributes do not belong that leaves of hierarchies are called "individuals". Thus, alerts from the intrusion detection probes 11a, 11b, 11c can be considered as individuals that are the subject of the classification.

The objective of the classification according to the invention is to identify relevant concepts by performing successive generalizations on the attributes of the individuals, according to their partial order relationship.

The concepts to be classified are structured in a lattice T = ( C, R ) where R ⊆ C × C , and C is the set of nodes of the lattice corresponding to the concepts. Thus, in a lattice the notion of concept can be confused with that of the node.

There is a link ( c ₁ , c ₂ ) ∈ R from node c ₁ to node c ₂ if c ₁ is derived from the abstraction or generalization of c ₂ according to any attribute. We denote ↑ ( c ₁ ) = { c ₂ ∈C / ( c ₂ , c ₁ ) ∈R } the set of parent nodes of the node c ₁ . Similarly, we denote ↓ ( c ₁ ) = { c ₂ ∈ C / ( c ₁ , c ₂ ) ∈ R } the set of child nodes of c ₁ .

The subset ↓ ^Ai ( c ) of the set ↓ ( c ) is the set of child nodes of c, resulting from the specialization of c according to the attribute domain Ai.

Similarly, the subset ↑ ^Ai ( c ) of the set ↑ ( c ) is the set of parent nodes of c , resulting from the generalization of c according to the attribute domain Ai.

Note that the relation ↓ ^Ai can be considered as a function when the hierarchical structure is a tree structure.

où c[Ai] désigne l'attribut appartenant au domaine d'attribut Ai du concept c.Thus, we can define a partial order relation ◁ on the set of concepts in the following way: $$◃\in \mathrm{VS}\leftrightarrow \mathrm{VS}:{\mathrm{vs}}_1◃{\mathrm{<figure-callout\; id="2"\; label="vs"\; filenames="imgf0004.png"\; state="\{\{state\}\}">vs</figure-callout>}}_2\iff \left\{\begin{array}{c}\mathit{\exists }\mathit{Have}\mathit{,}{\mathit{vs}}_{\mathrm{1}}\left[\mathit{Have}\right]{\mathit{\prec }}_{\mathit{Have}}{\mathit{vs}}_{\mathrm{2}}\mathit{\left[}\mathit{Have}\mathit{\right]}\\ \mathit{\forall }\mathit{aj}\mathit{,}{\mathit{vs}}_{\mathrm{1}}\left[\mathit{aj}\right]{\mathit{⪯}}_{\mathit{Have}}{\mathit{vs}}_{\mathrm{2}}\mathit{\left[}\mathit{aj}\mathit{\right]}\end{array}\right\},$$

where c [ Ai ] designates the attribute belonging to the attribute domain Ai of the concept c .

This partial order relation ◁ makes it possible to construct for each individual i , in particular for each alert resulting from the intrusion detection probes, a lattice specific to this alert by generalizing each alert according to each of its attributes and at all levels of detection. the hierarchical structure.

$$\mathit{Ri}=\left\{\left(c_j,,c_k\right)\in \mathit{Ci}\times \mathit{Ci}/\left\{\begin{array}{c}\exists !\mathit{Al}/\left(c_j\left[\mathit{Al}\right],c_k\left[\mathit{Al}\right]\right)\in \mathrm{cover}\left({\prec }_{\mathit{Al}}\right)\\ \forall \mathit{Am}\ne \mathit{Al},c_j\left[\mathit{Am}\right]=c_k\left[\mathit{Am}\right]\end{array}\right\}\right\}$$

Formally, if i = ( a ₁ , ..., a _n ) is an individual, the proper lattice Ti = (Ci, Ri) associated with the individual i is defined as follows: $$\mathit{This}=\left\{\left({\mathrm{vs}}_1,...{\mathrm{vs}}_{\mathrm{not}}\right)\in \mathrm{AT}1\times ...\mathit{Year}/{\mathrm{at}}_j⪯{}_{\mathit{aj}}{\mathrm{vs}}_j\right\}$$

$$\mathit{Ri}=\left\{\left({\mathrm{vs}}_j,,{\mathrm{vs}}_k\right)\in \mathit{This}\times \mathit{This}/\left\{\begin{array}{c}\exists !\mathit{al}/\left({\mathrm{vs}}_j\left[\mathit{al}\right],{\mathrm{vs}}_k\left[\mathit{al}\right]\right)\in \mathrm{cover}\left({\prec }_{\mathit{al}}\right)\\ \forall \mathit{Am}\ne \mathit{al},{\mathrm{vs}}_j\left[\mathit{Am}\right]={\mathrm{vs}}_k\left[\mathit{Am}\right]\end{array}\right\}\right\}$$

Thus, a general lattice containing all the concepts can be constructed by successive additions of clean lattices.

The insertion of an individual into the general lattice is done by fusing the lattice proper to the individual with the general lattice.

Formally, given the set I of individuals, the general lattice T = ( C, R ) is defined as follows: $$\mathrm{VS}={\displaystyle \underset{i\in I}{\cup }}\mathit{This}\begin{array}{}\end{array}\mathrm{and}\begin{array}{}\end{array}R={\displaystyle \underset{i\in I}{\cup }}\mathit{Ri}$$

Thus, a clean mesh can be constructed for each alert from the intrusion detection probes 11a, 11b, 11c. This clean lattice therefore comprises nodes corresponding to alerts, interconnected by arcs so that each node is linked to one or more parent nodes and / or one or more child or descendant nodes.

Next, each of the clean lattices associated with the alerts from the intrusion detection probes may be iteratively fused into the general lattice.

Finally, synthetic warnings can be identified in the general lattice, by selecting the alerts that are both most relevant and general according to statistical criteria and according to the membership of their attributes at lower levels of the hierarchical structures.

Indeed, Figures 2 to 4 show flowcharts illustrating the formation of the lattice specific to a given individual, the merger of a given lattice in the general lattice, and the selection of relevant and general concepts.

The flowchart in Figure 2 shows the formation of a lattice specific to a given individual. More particularly, it shows the construction of a proper lattice Ti = ( Ci, Ri ) being developed in the vicinity of a given given concept or alert.

Thus, in step E0, the given concept c = ( a ₁ , ..., a _n ) is defined , as is the index l corresponding to the index of the attribute from which the generalization is implemented. , recognizing that the generalizations according to the lower index attributes are considered to correspond to concepts that have already been added to the own lattice Ti during previous recursive calls.

The steps E1 to E3 are a main loop that iterates over the attribute indices according to which the node given as parameter, at the step E0, will be generalized. Iteration is done for all the indices k between l and n and for all the attributes a _k generalizable.

Thus, for every attribute a _k that can be generalized from its hierarchical structure, the function genAtt ( c, k ) is calculated in step E2 , which retrieves the value of the attribute that generalizes that of a _k to form a concept p corresponding to the generalization of the concept c according to the index k .

This generalized concept p is added to the lattice Ci = Ci ∪ p and an arc is added from the concept c to the concept p , that is to say Ri = Ri∪ {( p, c )} .

Step E3 is an internal loop that adds the missing arcs from the parent nodes of the concept c, resulting from the generalization of c according to all the attributes of index less than or equal to k , that is to say Ri = Ri ∪ {(↑ ^Ak ↑ ^Ah ( c ), p )}.

Step E4 is a recursive call where the flowchart is applied for new parameters.

Thus, the algorithm for forming a clean lattice for a given concept c can be described as below:

More particularly, FIG. 2A shows an example of the construction of the own lattice 31 from a given alert corresponding to a given node A according to the second attribute of the node A. In other words, from the call parameters ( c = A, k = 1 , Ti = Tc ).

Generally speaking, for any generalizable attribute of the given alert, the generalized value of this attribute is retrieved from its hierarchical structure to form a new alert that is more general than the alert given.

According to this example, at step k = 2 of the algorithm, a new node D corresponding to the new alert formed according to the generalization of the second attribute of node A, is added to the lattice and an arc (D, A ) from the new node D of the new alert to the node A of the given alert.

Then missing arcs from the parent nodes of the alert A given at node D of the new alert are added. The parent nodes of the given alert come from the generalization of the alert given according to its other attributes.

According to this example, at the previous iteration (k = 1 ), the vertex lattice B has been constructed. The generalizations of D according to attributes whose index is less than k have already been added, in this case C, for k = 1. Thus, only the missing arc (C, D) is added.

The algorithm is re-executed recursively with parameters (D, 2, T).

In general, the trellis specific to individual i = (a _1, ..., a _n) is obtained by calling the Lattice Clean algorithm (c = i, k = 1, T = ({i} {})), knowing that initially, the clean lattice associated with node i is formed of a single node and the set of arcs is still empty.

The flowchart of FIG. 3 shows the fusion of a given clean lattice in the general lattice.

In step E10, the initialization parameters are defined. In particular, it is selected a first node corresponding to a first alert or concept h belonging to the own lattice Ti = ( Ci, Ri ) , and a second node corresponding to a second alert or concept g belonging to the general lattice T = ( C, R ).

The main loop between the steps E11 and E14 or E15, iterates on the set of child nodes of the node h of the lattice clean passed in parameter, that is to say for h _j ∈ ↓ ( h ) .

Thus, in step E11 a child node h _j of the first node h is chosen.

In step E12, it is checked whether this child node h _j of the first node h also belongs to the general lattice. In other words, we check if ∃g _j ∈ ↓ ( g ) such that g _j = h _j .

If so, all the arcs from the parent nodes of this child node are deleted Ri = R - ↑ ( h _j ) in step E13, before proceeding to step E14.

Indeed, the following proposition says that if a node h _j of a proper lattice already exists in the general lattice, then all of its parents are also there, that is to say: $$\left(h_j\in \mathit{This}\wedge \exists {\mathrm{boy\; Wut}}_k\in \mathrm{VS},h_j={\mathrm{boy\; Wut}}_h\right)\Rightarrow \uparrow \left(h\right)\subseteq \mathrm{VS}\mathrm{.}$$

Step E15 is a recursive call where the flowchart is reapplied from step E11 but for new parameters.

Indeed, the children of the node h _j are not necessarily in the general lattice, so we must recursively execute the algorithm on this node h _j .

On the other hand, if the child node does not belong to the general lattice, then it suffices to add T = T∪Th _j and all of its descendants to step E15 before returning to step E11. .

The contraposition of the previous proposition assures us that there will be no duplication of nodes.

Thus, the algorithm for the merger of a lattice specific to the general lattice can be described as follows:

FIGS. 3A and 3B show schematically the merging mechanism of a lattice specific to the general lattice, according to the flowchart of FIG. 3.

In these two FIGS. 3A and 3B, the left trellis portion belongs to the general trellis and the right trellis portion belongs to the trellis that one wishes to merge. Grayed out nodes are the calling parameters of the algorithm. They are equal, by hypothesis (A = A ').

According to Figure 3A, one of the children B 'of A' is already present in A (B '= B) . Links 41, 43, and 45 to the immediate ancestors of B ' are deleted because we know that they are already in the general lattice. The algorithm is then called recursively on B and B '.

According to FIG. 3B, the node C does not exist as a child of A, then a link 47 (in dashed lines) is created between A and C, and the link 49 which links C to A 'is deleted. The sub-lattice with vertex C is therefore integrated into the general lattice.

The algorithm is called with as arguments the vertices of the lattice specific to the individual to be inserted and the vertex of the general lattice. As all the lattices have the same vertex corresponding to the most general node, the assumption that the concepts passed in arguments to the algorithm are equal is respected.

The flowchart in Figure 4 shows the identification of synthetic alerts or concepts providing a set P of alerts or concepts that are both the most relevant and the most general of an alert or concept c .

An alert or concept c is relevant if each of the sets ↓ ^Ai ( c ) is "homogeneous" and "sufficiently large".

A set of alerts or concepts is homogeneous if the dispersion of the number of individuals covered by each concept is not too great. For this purpose, a coefficient of variation is used in a known manner.

A set ↓ ^Ai ( c ) is sufficiently large if the number of elements that compose it is greater than a threshold value linked to the level of abstraction or generalization of the attribute Ai of c .

où la fonction p(c) désigne une fonction booléenne indiquant si un noeud est pertinent; F_Ai est l'ensemble formé des d'individus couverts par chaque concept de ↓^Ai (c) ; m_FAi est la moyenne de F_Ai ; σ_FAi sa variance; et τ_cAi représente la valeur de seuil liée au niveau d'abstraction du domaine d'attribut Ai de c. Formally: $$p\left(\mathrm{vs}\right)\iff \forall \mathit{Have},\left(\left|\mathit{Have}\right|>{\mathit{\tau }}_{{\mathrm{vs}}_{\mathit{Have}}}\begin{array}{}\end{array}\mathit{and}\begin{array}{}\end{array}\frac{{\mathit{\sigma }}_{F_{\mathit{Have}}}}{m_{F_{\mathit{Have}}}}<1\right),$$

where the function p ( c ) designates a Boolean function indicating whether a node is relevant; F _Ai is the set of individuals covered by each concept of ↓ ^Ai ( c ); m _{F Have} is the average of F _Ai ; σ _{F Have} its variance; and τ _{c Have} represents the threshold value related to the abstraction level of the attribute domain Ai of c.

The number of individuals covered by a concept is a value related to each node of the lattice and updated upon the merger of a clean lattice associated with an individual with the general lattice.

Thus, an alert is said to be relevant if each of the sets of child nodes of the relevant alert c resulting from the specialization of this alert c according to each of its attribute domains is homogeneous, and if the number of elements composing each of the sets child nodes of the relevant alert c is greater than a threshold value.

Step E20 of the flowchart of FIG. 4 corresponds to the definition of the call parameters. These parameters comprise a concept c of the general lattice T = ( C, R ), a set P of the relevant concepts previously found, and an integer t used for the tracing of the lattice.

Step E21, is a test to check the relevance of c . So if the concept c is relevant, then we go to the step E22, where the concept c is added to the set P of the relevant concepts P = P∪ { c }, and the set of more specific concepts than c possibly previously added are eliminated from the set P , that is to say P = P- {c _i ∈ P / c _i ◁ c }. Indeed, we search for the most abstract concepts, while being relevant.

On the other hand, if c is not relevant, then the algorithm is applied recursively, at the steps E23 on all the children of c coming from the specialization of c according to the attributes of indexes i superior or equal to t, that is to say c _i ∈ ↓ ^Ai ( c ), knowing that the other attributes have already been analyzed.

When the algorithm ends, a list including the concepts considered relevant and general is provided to the output unit 23 of the warning management system 13 so that a security operator can have a global view of all alerts. If the latter wants details on any concept c that he deems too abstract, then the algorithm is re-executed on all the children of this concept c .

Thus, the algorithm for identifying synthetic concepts can be described as below:

It should be noted that the synthetic alerts are associated with different groups of alerts from the probes so that these groups are not necessarily mutually exclusive.

Indeed, Figure 5 very schematically shows an alert associated with different synthetic alerts.

The A1 to A6 alerts issued by the intrusion detection probes are the sheets of the general lattice. The alert group associated with a general alert is the set of sheets accessible from this general alert.

Thus, the alert group A123 is associated with the synthetic alert S1 and the alert group A34 is associated with the synthetic alert S2. On the other hand, the A4 to A6 alerts are associated with an A7 general alert which is not a synthetic alert.

Given the very structure of the lattice, the groups of alerts are not mutually exclusive. Thus, the alert A3 participates in two phenomena, that is to say two different groups of alerts A123 and A34.

Alerts from intrusion detection probes are individuals defined by a plurality of attributes belonging to a plurality of attribute domains. Attribute domains can include a set of alert identifiers, a set of attack sources, a set of attack targets, and a set of attack dates.

FIGS. 6A to 7 show a simplified example of classification of a set of alerts originating from intrusion detection probes.

According to this example, the alerts are triplets ( name, src, dst ) ∈ N × S × D, where N represents the set of the alert identifiers, S represents the set of attack sources, and D represents the set of attack targets. In other examples, the alerts could consist of other types of attributes, or the same but with domains defined differently.

At the lowest level of abstraction, the alert identifiers are the signature identifiers of the Snort ^™ intrusion detection tool. The higher level of abstraction consists of the attack classes defined by Snort ^™ . The higher level of abstraction consists of a single element, "any".

Indeed, Figure 6A shows a simplified hierarchy associated with the domain of the set of identifiers. The first level of abstraction or generalization N11 includes the elements "att1" and "att2". The second and third levels of generalization N12, N13 include the elements "web-attack" and "any" respectively.

At the lowest abstraction level, the attack sources are IPv4 type addresses. The higher level of abstraction consists of network domain names managed by the IANA ^™ organization and its local branches (RIPE, APNIC, ARIN, etc.). IP addresses not registered in the IANA ^™ database or public addresses internal to the monitored information system or private IP addresses, are abstracted in CIDR type notation (eg 192.168.0.0/24). The upper level may consist of two elements, "external" and "internal" to designate the exterior and interior of the information system. The next level of abstraction consists of a single element, "any".

The example in Figure 6B shows a simplified hierarchy associated with the domain of the set of attack sources. The first level of abstraction or generalization with the elements "192.168.0.1" and "192.168.0.33". The second and third levels of generalization include the elements "internal" and "any" respectively.

At the lowest level of abstraction, attack targets are the public and private IP addresses of the information system. The next level of abstraction is network addresses in CIDR notation. The next level of abstraction consists of a single element, "any".

Figure 6C shows a simplified hierarchy associated with the domain of the set of attack targets. The first, second and Third levels of abstraction or generalization include the elements "192.168.0.10", "proxy", and "any" respectively.

Figure 7 illustrates a general lattice associated with two A1 and A2 alerts defined by A1 (att2, 192.168.0.1, 192.168.0.10) and A2 (att1, 192.168.0.33, 192.168.0.10).

According to this example and according to the attribute hierarchies of FIGS. 6A to 6C, the attack identifiers are generalized to the attack class "web-attack" and then to "any".

IP addresses of attackers are generalized to "internal" then "any".

The IP addresses of the victims are generalized according to "proxy" host, then to "any".

In this example, there are two separate 192.168.0.1 attackers of the A1 alert and 192.168.0.33 of the A2 alert that are internal IP addresses. There is only one victim 192.168.0.10, which is a web proxy.

The most abstract alert inferred by the system is (any, any, any). The full arrows denote a generalization according to the attribute that corresponds to the attack, the arrows in dashes denote a generalization according to the attribute that corresponds to the attacker, and the dashed arrows denote a generalization according to the attribute that corresponds to the victim.

At the end of the selection process of the relevant alerts, the system proposes the synthetic alert (web-attack, internal, proxy). Other alerts are either too general or too specific.

Claims (9)

1. Method of automatically classifying a set of alerts obtained from intrusion detection probes (11a, 11b, 11c) of an information security system (1) for producing summary alerts, each alert being defined by a plurality of qualitative attributes (a₁,..., a_n ) affiliated to a plurality of attribute domains (A₁ , ..., A_n ), each of which is provided with a partial order relation, characterized in that it comprises the following steps:

   - organizing the attributes affiliated to each attribute domain into a hierarchical structure comprising a number of levels defined according to the partial order relation of the attribute domain, the plurality of attribute domains thus forming a number of hierarchical structures;

   - constructing for each alert obtained from the intrusion detection probes (11a, 11b, 11c) a trellis specific to this alert by generalizing each alert according to each of its attributes and to all the levels of the hierarchical structure, the specific trellis comprising nodes, corresponding to alerts, interlinked by arcs such that each node is linked to one or more parent nodes and/or one or more child or descendent nodes;

   - iteratively merging each of the specific trellises into a general trellis;

   - identifying in the general trellis, the summary alerts by selecting the alerts that are both the most relevant and the most general according to statistical criteria and according to the affiliation of their attributes to lower levels of the hierarchical structures; and

   - producing summary alerts to an output unit (23) of an alert management system (13) in order to present an overview of all the alerts obtained from the intrusion detection probes (11a, 11b, 11c).
2. Method according to Claim 1, characterized in that the construction of a specific trellis comprises the following steps:

   - recovering for any generalizable attribute of a given alert, the generalized value of this attribute from its hierarchical structure to form a new alert that is more general than said given alert;

   - adding a new node to the specific trellis corresponding to the new alert and adding an arc going from the new node of the new alert to the node of the given alert;

   - adding missing arcs going from the parent nodes of the given alert, derived from the generalization of the given alert according to its other attributes, to the node of the new alert.
3. Method according to any one of Claims 1 and 2, characterized in that the merging of a given specific trellis into the general trellis comprises the following steps:

   - selecting a first node corresponding to a first alert affiliated to the given specific trellis, and a second node corresponding to a second alert affiliated to the general trellis;

   - deleting all the arcs originating from the parent nodes of a child node of the first node if said child node is also affiliated to the general trellis,

   - adding to the general trellis said child node and all of its descendents if said child node is not affiliated to the general trellis.
4. Method according to any one of Claims 1 to 3, characterized in that a relevant alert is identified when each of the sets of the child nodes of the relevant alert obtained from a specialization of this alert according to each of its attribute domains is uniform, and when the number of elements forming said each of the sets of the child nodes of the relevant alert is greater than a threshold value.
5. Method according to any one of Claims 1 to 4, characterized in that the summary alerts are associated with different alert groups obtained from the probes such that these groups are not mutually exclusive.
6. Method according to any one of Claims 1 to 5, characterized in that the plurality of attribute domains comprises domains from the following sets: set of alert identifiers, set of attack sources, set of attack targets, and set of attack dates.
7. Computer program characterized in that it is designed to implement the method according to any one of Claims 1 to 6 when it is executed by the alert management system (13).
8. Alert management system (13) for automatically classifying a set of alerts obtained from intrusion detection probes (11a, 11b, 11c) producing summary alerts, each alert being defined by a plurality of qualitative attributes (a₁ , ..., a_n ) affiliated to a plurality of attribute domains (A₁ , ..., A_n ), each of which is provided with a partial order relation, characterized in that it comprises:

   - processing means for organizing the attributes affiliated to each attribute domain into a hierarchical structure comprising a number of levels defined according to the partial order relation of the attribute domain, the plurality of attribute domains thus forming a number of hierarchical structures;

   - processing means for constructing, for each alert obtained from the intrusion detection probes (11a, 11b, 11c), a trellis specific to this alert by generalizing each alert according to each of its attributes and to all the levels of the hierarchical structure, the specific trellis comprising nodes, corresponding to alerts, interlinked by arcs such that each node is linked to one or more parent nodes and/or one or more child or descendent nodes;

   - processing means for iteratively merging into a general trellis each of the specific trellises;

   - processing means for identifying in the general trellis the summary alerts by selecting the alerts that are both the most relevant and the most general according to statistical criteria and according to the affiliation of their attributes to lower levels of the hierarchical structures; and

   - processing means for producing summary alerts to an output unit (23) in order to present an overview of the set of alerts obtained from the intrusion detection probes (11a, 11b, 11c).
9. Information security system (1) comprising intrusion detection probes and an alert management system (13) according to Claim 8.

Images